The transport layer protocol utilized in packet network communications can include extensions such as a TCP timestamp option, which is used by many current operating systems. TCP timestamps can provide an indication of when to discard delayed segments—a process known as Protection Against Wrapped Sequences (PAWS). The current Request for Comments (RFC) addressing TCP extensions for high performance, RFC 1323, summarizes the timestamp as “From the receiver's viewpoint, the timestamp is acting as a logical extension of the high-order bits of the sequence number.” Accordingly, a segment which the receiving host regards as delayed per the timestamp can be discarded by the receiving host.
However, if an intrusion detection or prevention system (IDS/IPS) utilizes a single method for analyzing and filtering segments based on timestamps, it may not analyze the same reassembled payload as a particular operating system at the destination. Consequently, an attack might successfully employ TCP timestamp value mutations to evade detection. The potential for evasion using TCP timestamps has apparently gone unnoticed.